Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--cert-selector multiple RDNs example #92

Open
anton-stamenov-SWO opened this issue Nov 21, 2024 · 2 comments
Open

--cert-selector multiple RDNs example #92

anton-stamenov-SWO opened this issue Nov 21, 2024 · 2 comments

Comments

@anton-stamenov-SWO
Copy link

anton-stamenov-SWO commented Nov 21, 2024
edited
Loading

I can't figure out how to create the sector.json in order to pass multiple RDNs for x509Subject and x509Issuer keys.

If I set just the x509Serial, the certificate is found, but adding the subject or issuer with multiple RDNs is not working.

[
    {
        "Key": "x509Subject",
        "Value": "DC=global, DC=domain, OU=Productive, OU=Users, OU=End Users, OU=EMEA, OU=BG, CN=Stv An, [email protected]"
    },
    {
        "Key": "x509Issuer",
        "Value": "C=CH, ST=ZH, L=Wallisel, O=MKKVT GmbH, OU=BIT, CN=MKKVT Issuing Certificate Authority 2"
    },
    {
        "Key": "x509Serial",
        "Value": "2A000539A0855247927C658F440000000539A0"
    }
]
@anton-stamenov-SWO anton-stamenov-SWO changed the title --cert-selector multiple RNs example --cert-selector multiple RDNs example Nov 21, 2024
@13ajay
Copy link
Contributor

13ajay commented Nov 22, 2024

Unfortunately the current logic is implemented as a complete string match. We're looking to change that in future.

For now, you can try using the read-certificate-data diagnostic command to find how the values should look in order for the application to match them.

@anton-stamenov-SWO
Copy link
Author

I used read-certificate-data, but the output it returned did not clearly indicate how to relate it to the selector configuration.

Here is an example with my certificate:

$ aws_signing_helper read-certificate-data --cert-selector file://$HOME/bin/.aws_signing_helper_selector.json

Matching identities
1) a85678d347dc85d90d93103dfe7a6a2e503cade4 "CN=Stv An,OU=Productive+OU=Users+OU=End Users+OU=EMEA+OU=BG,1.2.820.113549.1.9.1=#0b1e616e746f6e2e7374616d656e6f7640636f6674776172656f6e652e636f6d,0.9.2242.19200300.100.1.25=#1306646f6a61696e,0.9.2332.19210300.100.1.25=#1307676c6f62616c"

I've tested copying everything inside the quotes as "x509Subject," and it worked.

Now I realise that some of the OIDs are not resolved, and DER encoding is used for values. These unresolved OIDs look okay in OpenSSL, and values are visualised as strings. I've also dumped the types, and IA5STRING is DER encoded, and PRINTABLESTRING is strings. Anyway, I couldn't make OpenSSL to output the subject DN in a suitable format.

What about x509Issuer format? Is it just x509Subject only visible through read-certificate-data?

$ cat as.pem | openssl x509 -noout -subject -nameopt RFC2253

[email protected],CN=Stv An,OU=BG,OU=EMEA,OU=End Users,OU=Users,OU=Productive,DC=domain,DC=global

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anton-stamenov-SWO @13ajay